What the proposal tries to solve

The European Commission’s 2022 proposal (COM(2022) 209) responds to a real and severe problem: online child sexual abuse material (CSAM) and grooming at massive scale. The explanatory memorandum cites very high report volumes, including over 21 million reports in 2020 and close to 30 million in 2021 via NCMEC pipelines.

So the policy objective is not hypothetical. The question is implementation architecture: how to improve detection and response without introducing systemic security fragility.

The technical tension in one sentence

End-to-end encryption (E2EE) protects content by ensuring only endpoints can read messages. Broad scanning mandates require additional inspection before, during, or around communication flows. That shifts trust assumptions from “endpoints only” to “endpoints plus scanning pipeline plus governance controls.”

Every new trusted component is another place where compromise, misuse, or policy drift can occur.

Why engineers are worried (even when they support child protection goals)

1. Expanded attack surface. Any client-side or server-side scanning mechanism can become a target for adversaries and abuse by insiders.

2. Function creep risk. A capability introduced for one narrow abuse category may later be repurposed under political pressure.

3. False positives at scale. Even high precision can generate large absolute error volumes when scanning billions of interactions.

4. Cross-border governance complexity. Legal standards, oversight quality, and remedy pathways vary across jurisdictions.

Why policy teams are equally worried about doing nothing

The status quo has costs too:

• victims remain unidentified for longer,

• law enforcement receives uneven-quality reports,

• providers face fragmented national obligations and legal uncertainty.

So the realistic policy problem is not “scan or do nothing.” It is how to target interventions without collapsing baseline communication security for everyone.

A balanced architecture: targeted powers + strong safeguards

A defensible middle path usually includes:

Notably, the Commission text itself discusses proportionality, fundamental-rights balancing, and limits/safeguards as core design elements. The implementation quality of those safeguards is where trust will be won or lost.

What this means for encrypted products like Onecryption

For privacy/security products, the strategic mistake is pretending policy does not matter. Users increasingly ask:

• what can providers access,

• what triggers reporting workflows,

• how false positives are handled,

• which safeguards are verifiable and by whom.

Clear documentation of trust boundaries is now a product requirement, not just legal fine print.

The governance test to apply to any proposal

Ask five concrete questions:

1. Is the authority narrowly scoped and time-limited?

2. Is there independent authorization and meaningful appeal?

3. Are technical safeguards independently auditable?

4. Are transparency reports detailed enough to detect drift?

5. Do users and victims both have effective remedy channels?

If the answer is weak on any of these, the long-term risk shifts from targeted enforcement to systemic trust erosion.

Bottom line

Europe does not need to choose between child safety and encryption as a binary. It does need policy designs that are precise, constrained, auditable, and technically realistic. Broad powers without robust safeguards will degrade trust and security. Strong safeguards without operational capability will fail victims. Durable regulation must achieve both.

Sources

• European Commission proposal COM(2022) 209 (full text): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52022PC0209

• Context on CNMEC report volumes as cited in COM(2022) 209 explanatory memorandum.

• General legal baseline: EU Charter rights balancing (privacy, data protection, child protection) discussed throughout COM(2022) 209.